Isaca Updated CRISC Exam Questions and Answers by rocky

The best method to maintain a common view of IT risk within an organization is to establish and communicate the IT risk profile. An IT risk profile is a document that summarizes the key IT risks that the organization faces or accepts, and their likelihood, impact, and priority. An IT risk profile helps to identify and prioritize the most critical or relevant IT risks, and to align them with the organization’s objectives, strategy, and risk appetite. Establishing and communicating the IT risk profile is the best method to maintain a common view of IT risk, because it helps to create a shared understanding and awareness of the IT risks among the organization’s stakeholders, such as the board, management, business units, and IT functions. Establishing and communicating the IT risk profile also helps to facilitate the IT risk decision-making and reporting processes, and to monitor and control the IT risk performance and improvement. The other options are not the best method to maintain a common view of IT risk, although they may be part of or derived from the IT risk profile. Collecting data for IT risk assessment, utilizing a balanced scorecard, and performing and publishing an IT risk analysis are all activities that can help to support or update the IT risk profile, but they are not the best method to maintain a common view of IT risk. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.1, page 1-15.

 Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite can be expressed in qualitative or quantitative terms, and can vary depending on the context and the stakeholder. Risk appetite should be defined and communicated by the senior management or the board of directors, and should guide the risk management decisions and actions throughout the organization. When a project team has accepted a risk outside the established risk appetite, the risk practitioner’s best course of action is to escalate the risk decision to the project sponsor for review, meaning that the risk practitioner should report the risk acceptance and its rationale to the project sponsor, who is the person or group that provides the resources and support for the project, and is accountable for its success. The project sponsor should review the risk decision and determine whether it is aligned with the organization’s objectives and strategy, and whether it requires any further approval or action. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.1, p. 25-26

Key risk indicators (KRIs) are metrics that provide an early warning of increasing risk exposure in various areas of the organization. They help to monitor changes in the level of risk and enable timely actions to mitigate the risk. The most useful information for developing KRIs is the possible causes of materialized risk, which are the factors or events that trigger or contribute to the occurrence of a risk. By identifying the possible causes of materialized risk, an organization can design KRIs that measure the likelihood and impact of the risk, and alert the management when the risk exceeds the acceptable level. References = CRISC Review Manual, 7th Edition, page 101.

The most important objective from a cost perspective for considering aggregated risk responses in an organization is to address more than one risk response. Aggregated risk responses are risk responses that can affect multiple risks or objectives simultaneously. By addressing more than one risk response, the organization can achieve cost efficiency and effectiveness in risk management. Prioritizing risk response options, reducing likelihood, and reducing impact are other possible objectives, but they are not as important from a cost perspective as addressing more than one risk response. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 10; CRISC Review Manual, 6th Edition, page 140.